This document gives troubleshooting guidance for issues you might encounter
during registration and connection.
Invalid configuration
If Google Cloud console cannot read the OIDC configuration from your
cluster, theLOGINbutton is disabled.
Login URL not found
The following issue occurs when the Google Cloud console is not able to reach
the identity provider.
An attempt to log in gets redirected to a page with a "URL not found" error.
To resolve this issue:
If the identity provider is not reachable over the public internet, then you
need to enable the OIDC HTTP proxy to log in via Google Cloud console. In theauthentication.oidcsection of your cluster configuration file, setdeployCloudConsoleProxytotrue. If you have already created a cluster
and want to turn on the proxy, you can edit the ClientConfig custom resource
directly and setuseHTTPProxytotrue:
If the HTTP proxy is enabled and you are still seeing this error, there might
have been an issue with the proxy starting up. To get the logs of the proxy:
Note that even if your identity provider has a well-known CA, for the HTTP
proxy to start, you must provide a value forauthentication.oidc.caPathin
your cluster configuration file.
If the authorization server prompts for consent, and you have not included
theextraparamprompt=consent, then you might see this error. Edit the
ClientConfig object, and addprompt=consenttoextraparams:
If you have not done so already, try authenticating using theAuthentication Plugin for Anthos.
If you are seeing an authorization error logging in with the plugin as well,
then follow thetroubleshooting stepsto resolve the issue with the plugin. Then try logging in via the
Google Cloud console again.
In some cases, if settings are changed on storage service, you might need to
log out explicitly. In the Google Cloud console, go to the cluster details
page, and clickLog out. Then try logging in again.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis document provides guidance for troubleshooting registration and connection issues encountered when using the Google Cloud console.\u003c/p\u003e\n"],["\u003cp\u003eIf the "LOGIN" button is disabled, it means the Google Cloud console cannot read the OIDC configuration from the cluster.\u003c/p\u003e\n"],["\u003cp\u003eA "URL not found" error during login usually indicates that the Google Cloud console cannot reach the identity provider, often requiring the OIDC HTTP proxy to be enabled.\u003c/p\u003e\n"],["\u003cp\u003eIf the HTTP proxy is enabled but the error persists, you can check the proxy logs to see if there are any issues, and ensure \u003ccode\u003eauthentication.oidc.caPath\u003c/code\u003e is set in your cluster configuration file.\u003c/p\u003e\n"],["\u003cp\u003eIf settings are changed on storage service, a logout and login from the Google Cloud console might be required.\u003c/p\u003e\n"]]],[],null,["# Troubleshooting registration and connection\n\n\u003cbr /\u003e\n\nThis document gives troubleshooting guidance for issues you might encounter\nduring registration and connection.\n\nInvalid configuration\n---------------------\n\nIf Google Cloud console cannot read the OIDC configuration from your\ncluster, the **LOGIN** button is disabled.\n\nLogin URL not found\n-------------------\n\nThe following issue occurs when the Google Cloud console is not able to reach\nthe identity provider.\n\nAn attempt to log in gets redirected to a page with a \"URL not found\" error.\n\nTo resolve this issue:\n\n1. If the identity provider is not reachable over the public internet, then you\n need to enable the OIDC HTTP proxy to log in via Google Cloud console. In the\n `authentication.oidc` section of your cluster configuration file, set\n `deployCloudConsoleProxy`to `true`. If you have already created a cluster\n and want to turn on the proxy, you can edit the ClientConfig custom resource\n directly and set `useHTTPProxy` to `true`:\n\n ```\n kubectl --kubeconfig USER_CLUSTER_KUBECONFIG edit clientconfig default -n kube-public\n ```\n2. If the HTTP proxy is enabled and you are still seeing this error, there might\n have been an issue with the proxy starting up. To get the logs of the proxy:\n\n ```\n kubectl --kubeconfig USER_CLUSTER_KUBECONFIG logs deployment/clientconfig-operator -n kube-system\n ```\n\n Note that even if your identity provider has a well-known CA, for the HTTP\n proxy to start, you must provide a value for `authentication.oidc.caPath` in\n your cluster configuration file.\n3. If the authorization server prompts for consent, and you have not included\n the `extraparam` `prompt=consent`, then you might see this error. Edit the\n ClientConfig object, and add `prompt=consent` to `extraparams`:\n\n ```\n kubectl --kubeconfig USER_CLUSTER_KUBECONFIG edit clientconfig default -n kube-public\n ```\n\n Then try logging in again.\n4. If you have not done so already, try authenticating using the\n [Authentication Plugin for Anthos](/anthos/clusters/docs/on-prem/1.10/how-to/oidc).\n If you are seeing an authorization error logging in with the plugin as well,\n then follow the\n [troubleshooting steps](/anthos/clusters/docs/on-prem/1.10/troubleshoot-identity-authorization)\n to resolve the issue with the plugin. Then try logging in via the\n Google Cloud console again.\n\n5. In some cases, if settings are changed on storage service, you might need to\n log out explicitly. In the Google Cloud console, go to the cluster details\n page, and click **Log out**. Then try logging in again."]]
